Blog Tracking Services Compromise Online Bank Security?

Technology November 18th, 2007

I’m not a security expert, but this warning at the Citicards site was quite a shock:

Customers using comment or blog tracking services on their computers run the risk that information submitted here could be displayed on those websites. Please disable your comment and blog tracking service before using Citi Cards Message Center.

Is this a real danger? What do you think?

Update (11/19): Several commenters here and on TechCrunch confirm what I thought myself: the warning likely refers to “tracking” products that offer a browser plug-in. In this case I was using FireFox with the BlogRovr plugin turned on. I know coComment offers a plugin, and whoever else does … well, Citibank considers it a security risk. Hm… food for thought. smile_sarcastic

Update #2: Wow, apparently this has been a well-documented problem for at least half a year, so Citi’s solution is to finally put up a warning message. smile_sad

Tags: , , , , , ,


Leave a comment Comment RSS

Previous: Ugly
Next: Zoho in the Entertainment Business?

8 Comments to “Blog Tracking Services Compromise Online Bank Security?”

  1. Paul | November 18th, 2007 at 8:27 pm

    It could well be a threat vector. Essentially it turns a one way service into a two way

  2. Voyagerfan5761 | November 18th, 2007 at 11:00 pm

    No service I know of could steal data from a banking site, but I’m no more security expert than you, so…

  3. TechCrunch: Are Blog Tracking Services A Security Risk? Citibank Thinks So | November 19th, 2007 at 8:59 pm

    [...] Erdos uses both MyBlogLog and BlogRovr and got a rather interesting message whilst trying to log into [...]

  4. Niall Kennedy | November 19th, 2007 at 9:40 pm

    I am guessing Citibank is warning you about the Firefox extensions and other browser modifications that may scan the page looking for actionable objects. A service such as coComment might sniff for comment boxes such as this one looking for an opportunity to send that comment field to its remote web service for storage and indexing.

    Were you running Firefox? The Citibank page could look for certain JS variables present in the DOM and send you a warning. Gmail currently issues tips/warnings for its members with Firebug turned on for example.

  5. Todd Sampson | November 19th, 2007 at 9:44 pm

    I am pretty sure that Niall is right. It is the only thing that makes sense. MyBlogLog and other web-based services would need to be installed on the Citibank site itself for any usage tracking to occur.

    Cheers,
    Todd

  6. Zoli Erdos | November 19th, 2007 at 11:23 pm

    Yes, I also thought they were referring to trackers that come with a browser plug-in. In this case I was using FireFox and there is a BlogRovr plugin, which I was testing… and, like Niall points out, coComment has a plugin, too, and who knows whatever else. Not very reassuring… I’m turning BlogRovr off.

  7. Zoli Erdos | November 19th, 2007 at 11:35 pm

    Citi does not test for the presence of browser extensions: I just went back and tested it after uninstalling BlogRovr, then again with a vanilla IE7 and saw the same message, so it’s a generic warning.

    This was at citicards.com, trying to send a customer service message, but I suppose the same situations applies to any site that offers message boxes.

  8. NexGen Technology Blog » Are Blog Tracking Services A Security Risk? Citibank Thinks So | November 20th, 2007 at 10:50 am

    [...] Erdos uses both MyBlogLog and BlogRovr and got a rather interesting message whilst trying to log into [...]

Leave a Comment